[LINK] RFI: Clock Synchronisation in Hosts

Glen Turner gdt at gdt.id.au
Thu Nov 13 09:31:59 AEDT 2014

Bernard Robertson-Dunn wrote:
> No self respecting data centre would use an external source.

It's all external if you think about it. Clocks being an agreed standard rather than a physical property.

The point of GPS is that it doesn't share the same failure modes (either in transmission or in control) as Internet-attached NTP servers. The skills and resources required to subvert GPS are not the same as the skills and resources required to subvert external NTP. The countermeasures are different too, and subverting all GPS signals across multiple locations is quite an ask.

I strongly encourage large institutions to run a GPS-referencing NTP server in three separate locations, using a professional-grade outdoor GPS antenna. As the fourth source, take an authenticated feed from the National Measurement Institute. Those four servers then peer together (fully meshed and authenticated) and act as time servers for the institution. Computers which act as authentication servers (Kerberos KDCs, Active Directory DCs) should take individual authenticated feeds from all four servers to limit opportunities for replay attacks via time manipulation.

Apart from the NTP feed from NMI, no NTP should cross the firewall in either direction.

Use your favourite network graphing tool to record clock drift of the four servers and to alarm if any of the four servers is voted out as a falseticker.


More information about the Link mailing list